Manage people

Use the People page to add and manage end users within your organization.

To find this page from the Administrator Dashboard, click Directory, then choose People.

Options

On the People page for an individual, there are buttons to access the functionality listed below. If there are one or two actions available, individual buttons appear. If there are more actions available, you will see a More actions button that opens a drop down menu with additional actions on it.

Add people

Adding people to your organization allows them to have their own My Applications page. Do the following to add end users to your org.

From the People page, click Add Person.

The Add Person modal displays.

Enter the First name and Last name.

Enter the Username.

The user name must be in email address format, and is typically the user's primary email address. Users sign in using this username.

Note: For a list of the characters supported in Okta email addresses, see here.

Enter a Primary email address.

This can be any valid email address that the user can access, typically the user's sign in name.

Optional - Enter a Secondary email.

This email can be used as a back up in case the user can't access their primary email. This is optional.

Optional - Assign the user to groups by typing the name of the group in the Groups field. A list of matching groups appears. Find the group you wish to add and click Add. Repeat to add additional groups.

Select whether the password is set by the end user or the Admin.

Set by user – The user is prompted to enter a password the first time they sign in to Okta.

Set by Admin – Enter a password for the end user. To prompt the user to change the password on their first sign in, check User must change password on first login. You must manually provide the end user with their password.

Click Add Person, or add another by clicking Save and Add Another.

If you click the Send user activation email now check box, your end user immediately receives their Welcome to Okta! activation email. Otherwise, these users are at Pending Activation status, and are not notified via email of their Okta account.

Import and assign people from a CSV File

Along with the options for adding users described above, admins can create and update users in Okta by uploading a CSV file containing their user information. This includes validation and error reporting of the imported data. The file can be used to add new users and update the changes of existing users. Find this option on Directory > People page.

To access the Import Users From CSV feature, do the following:

From the Administrative Dashboard, go to the Directory tab and choose People.

Click the More Actions.

From this menu, choose Import Users From CSV.

The Import Users from CSV dialog box appears. Notice the this template link, as shown below.

Click the this template link to download a template CSV file to populate your user information. The template includes headers for all the attributes defined in your current Okta User profile, as shown below.

Universal Directory

CSV File

Populate the required attribute fields as needed. The first row must contain the header from the file you downloaded from the This example link. Subsequent rows must contain one user in each row with all relevant information populated in the correct columns.

Upload the CSV file. Once uploaded, the file goes through a validation process to ensure that it is properly formatted. The system notifies you if errors occur.

Do not create a password and only allow login via Identity Provider – Users are not sent activation emails, nor prompted to set up an Okta password. Only recommended for users who will authenticate via an external Identity Provider.

Note the import options, then click the Import Users button.

Okta validates the CSV file, chiefly checking that it was formatted correctly and that all attribute requirements are met. Once completed, a summary is displayed and lists the number of new users, uploaded users, unchanged users and the number of users that incurred errors. If errors are found, click the Download link to view the error report.

Assign end users to apps from a CSV file

Unless provisioning is enabled, you can assign end users to a specific app via CSV import. This includes validation and error reporting of the imported data. As with CSV user imports, the CSV template is based on attributes defined in the Profile Editor. You must ensure that the Base attributes required by Okta (username, firstname, lastname and email) are included and mapped to Okta. These attributes should be left with the default data type of String.

From the Administrative Dashboard, go to Directory > Profile Editor.

Search to find the relevant app.

Click the Profile button and, if needed, add the Base attributes (username, firstname, lastname and email). For detailed instructions on adding attributes and mapping to Okta, see Profile Editor.

Include any Custom attributes you wish to include in the template.

Map these attributes from the App to Okta.

Once you have established the Base and Custom attributes for the particular app, you can generate the .csv file.

Do not create a password and only allow login via Identity Provider – Users are not sent activation emails, nor prompted to set up an Okta password. Only recommended for users who will authenticate via an external Identity Provider.

Note the import options, then click the Import Users button.

Okta validates the CSV file, chiefly checking that it was formatted correctly and that all attribute requirements are met. Once completed, a summary is displayed and lists the number of new users, uploaded users, unchanged users and the number of users that incurred errors. If errors are found, click the Download link to view the error report.

The import summary includes detail about any imported users requiring further review or action.

Add and update end users with Just In Time Provisioning

Just In Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with AD Delegated Authentication, Desktop SSO, or inbound SAML.

JIT account creation and activation only works for end users who are not already Okta end users. (JIT updates the accounts of existing end users during full imports.) This means that end users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.

When using JIT provisioning with AD users, the procedure depends on whether delegated authentication is enabled.

If you have delegated authentication enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.

If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.

To enable JIT, click Edit under Just In Time Provisioning, and then click Enable Just In Time Provisioning.

Activate people

Activating people in your organization changes their account status from Pending to Active. Active end users receive an email that steps them through the process of setting up their unique account within your org.

From the Okta People page you can view the status of each of your end users from the Status column (the far left column on the page). Their status may be Pending Activation, Active, Password reset, or Deactivated.

There are two ways to activate end users, depending on when their accounts were created:

If the user already appears under your Person & Username list and they are pending activation, you can activate them simply by clicking the Activate link, found in the Status column directly across from their name.

To activate one or more people who have been recently added, do the following:

From the More Actions menu, click Activate. The Activate People page appears.

From the list of users, select the users you want to activate and click Activate Selected. Or, click Activate All to activate everyone that appears on the list.

An Activate People dialog appears. Click Activate to activate the chosen end users, or click Cancel to abort. When activated, each user appears as Active in the Status column.

An email is sent to each user's primary or secondary email address, informing them that their accounts are active. Once active, they can access all the provisioned applications assigned to them.

You can also bulk activate users whose status is Pending Activation. To bulk-activate users, navigate to Directory > People and click Pending Activation. Click Bulk Activate at the top of the lists of users.

If you reactivate a person who was previously deactivated, the user is re-imported, but their apps remain unassigned.

Deactivate and delete People

Deactivating people in your organization changes their account status from Active to Deactivated. Deactivating end users revokes their app and group memberships.

To deactivate an end user:

From the More Actions menu, click Deactivate. The Deactivate People page appears.

From the list of users, select the users you want to deactivate and then click Deactivate Selected.

A Deactivate People dialog appears. Click Deactivate to confirm, or click Cancel to abort.

A deactivation email is sent, and the end user is listed as Deactivated under the Status column.Once deactivated, a user's profile cannot be changed unless it is again made active.

Permanently delete an end user account

You can permanently delete a deactivated user with the Delete button that appears in the directory screen for that user. You cannot undo this deletion. After the deletion, the user is not visible on the People page and is not returned in API responses. However, any log entries that reference the user are maintained. After deletion you can reuse the user name and other identifiers.

Note: You cannot delete a user that is set as the technical or billing contact.

Suspend and unsuspend people

Suspending people in your organization changes their account status from Active to Suspended. Suspended users cannot log in to Okta and receive a message indicating they are suspended. The Okta sign in is blocked for apps that support SAML. App and group memberships are maintained for suspended users and are reinstated if the user is subsequently unsuspended.

Unsuspending people changes their account status from Suspended to Active. All app and group memberships are restored.

Suspending people is useful for temporary and contract workers and employees on leaves of absence if you want to pause and later resume access. This state is also useful if an employee leaves but the admin wants to review group and app assignments.

To suspend an end user click the Suspend button on a user's page.

A list of all suspended users is available as a filter.

To unsuspend a user, click the Unsuspend button.

Assign applications to people

When setting up or managing end user accounts, you can assign the applications you want to display on end users' My Applications (or Home) page. You can assign applications from the People page or the Applications page.

To assign applications from the People page:

Go to Directory > People.

Click an end user's name.

Select the Applications tab.

Click Assign Applications.

You can select applications from the list of available applications or use the Search box to search for applications by name. Once you have located the application you want to assign, click Assign App.

Enter sign in information such as the username. Note that this is not the user's Okta sign-in username, but the username the person uses to sign in to the application individually.

Enter application data options as needed. The required data depends on the application and may include information such as parameters that define the user to the application, profiles, or roles. You may also have to provide credential security options.

Click Save and Go Back.

For details on how to assign applications from the Applications page, see Applications.

You can assign applications to individual users manually, as described above, but you may find it more convenient to assign applications to entire groups. For details, see Importing and Using Groups in Okta.

Unassign people from applications

You can unassign a user from one or more applications, thereby removing the app from the user's My Applications or home page.

Go to the People page.

Click the end user's name.

Click the X to remove the user's access to the application. This removes the application button from the user's My Applications page.

Note: If the user was assigned to the application as a member of a Group, in order to unassign the user from the application you would need to either move the user out of the group or unassign the application from the entire Group.

Unlock an individual end user's account

To unlock a locked user account:

Go to Directory > People.

Locked users are shown as Locked out in the Status column.

Click the user whose account you want to unlock.

In the Applications tab, click More Actions, and then click Unlock Account.

Unlock end user accounts in bulk

Unlock a group of user accounts:

Go to Directory > People > More Actions > Unlock People.

Locked users are shown .

Click all the users whose accounts you want to unlock.

Click Unlock People at the bottom of the screen.

When prompted, confirm unlocking the accounts by clicking Unlock.

Reset end user passwords

Password resets can be performed either for an active individual end user, or for multiple end users whose account are currently in a “Locked Out” condition.

This feature is Generally Available for orgs using Active Directory. This is an Early Access feature for orgs using LDAP.

To reset an individual end user's password:

From the People page, click the user whose password needs to be reset.

Click the Reset Password button at the top of the page

In the window that appears, click

the Reset Password Link button to send an Account Password Reset email to the user containing a password reset link– or –

the Temporary Password button to generate a random password. This password must be changed upon sign in.

Note: For users who have not completed their initial activation the only option available will be Reset Password Link.

Orgs using Active Directory also have the option to reset multiple end user passwords at once.

Note: This feature is not available for LDAP.

To reset multiple locked out user passwords, do the following:

From the People page, click Reset Passwords.

On the Reset Passwords page, select the users whose password you'd like to reset.

Click Reset Password.

An Account Password Reset email is sent to the specified email address. It includes an auto-generated password.

An end user who has forgotten their password can also reset it themselves using SMS. With SMS configured, end users can have Okta send them a text message with a password reset code.

Note: This feature is free in the United States and Canada. Admins. International orgs should contact Customer Support before enabling SMS.

Enable Self-Service passwords resets for AD-mastered end users

You can enable passwords resets for AD-mastered end users. Once you have done this, the Reset Password button appears for these end users.

Notes:

This feature must be enabled for your org.

If you have the Group Password Policy feature enabled, the self-service password reset settings described here are overidden.

When this feature is enabled, bulk password expiration includes AD-mastered users.

To allow a password reset for AD-mastered users:

Expire end user passwords

You can expire end user passwords in bulk or individually.

Expire All End-User Passwords

The Expire Passwords feature allows you to expire passwords of all Okta-mastered users with one click. Every Okta-mastered user will be forced to change their password on next sign in. .

Keep in mind the following:

Active sessions remain active. The user is prompted for a new password at the next Okta sign in.

You can use the App Password Health Report on the Reports page to monitor how your users reset their passwords.

API tokens are not expired. API tokens are valid for 30 days and renew automatically with each request to Okta. For more information on API token expiration and revocation, see API Tokens.

Bulk password expiration only applies to Okta-managed users, unless the Active Directory Password Reset feature is enabled. The passwords for users managed through Active Directory and LDAP delegated authentication are not expired. Your Active Directory and LDAP agents will continue to work even if the service account managed by Okta has an expired password.

If you are responding to a security vulnerability, ensure that your applications are already patched and no longer vulnerable before resetting the Okta password.

When a user's Okta password is changed, all applications assigned to the user that support Provisioning and are Sync Password enabled are updated with the new password.

To expire the passwords of all Okta-mastered end-users, do the following:

From the People page, click More Actions > Expire Passwords.

On the confirmation page, click Expire Passwords.

Expire an individual end user's password through the Admin Console

You can effectively expire an individuals Okta password by assigning them a temporary password. The user will be required to change their password the next time they sign in.

Go to Directory People.

Click the user whose password you want to expire.

Click Reset Password.

Click Temporary Password.

A temporary password is created for the account and the account is marked as expired. The temporary password is displayed for your information. Be sure to distribute the new password to the user securely; for example, by email or voice mail. The next time the user signs into Okta, they must enter the temporary password and create a new password.

Note: After you generate a temporary password, you cannot create a password reset link. The message Password reset. User is now in one-time password mode. is displayed when viewing the user.

Expiring an individual end user's password through the Okta API

The Okta API provides a credential life cycle operation to expire a password for a specific user. The API provides the flexibility to expire only the current password without generating a new temporary password.

Portal or External Users

If your Okta organization powers an external user portal, the bulk password expiration feature may not be a viable solution. To use bulk expiration, your portal must support a password expiration flow and handle the following error code for the Create Session API operation.

You can revoke an individual end user's Windows Device Trust certificate(s) through their Applications tab. This is recommended if an end user's Windows computer is lost or stolen. Performing this procedure revokes all Device Trust certificates issued to an end user.

All Device Trust certificates issued to the end user are revoked from the Okta Certificate Authority but are not removed from end user devices. To remove certificates from end users’ devices, you must use a third party management tool such as GPO or SCCM.

To re-secure a device for which certificates were revoked, you must first remove any existing device trust certificate from the device and then re-enroll the certificate. A new certificate cannot be enrolled on a device if another Windows Device Trust certificate is already present, although no error message is displayed.

The end user's Device Trust certificate is also revoked automatically from the Okta Certificate Authority if the end user is deactivated in Okta.

Go to Directories > People.

Click on the end user whose Device Trust certificate you want to revoke.

In the More Actions menu, click Revoke Trust Certificate. Screenshot

Read the message that displays, and then click Revoke Trust Certificate.

Enable end user self-service password reset using SMS

How you enable end user self-service password reset depends on whether or not your org has Group Password Policy configured.

With Group Password Policy configured

Without Group Password Policy configured

To enable end users to reset their password using SMS:

Navigate to Security > General.

In the Organization section, click Edit.

Enable the Allow SMS for self-service operations option.

Note: If an invalid user attempts entry through a Forgot Password or Unlock Account action, an error message will not display. This is by design, as an error message could potentially reveal when a user name represents a valid account.

During the onboarding process new end users must provide their name and username to activate their account, but may opt to postpone providing certain optional information (such as a phone number and a secondary email address). Users who opt to postpone are later prompted with the message Please update your profile on the first of the following month, or the next time they sign-in to Okta after the first of the following month. At that point they can either click Add Phone Number to specify a phone for SMS messages, or click Remind me later to be reminded again on the first of the following month, or the next time they sign-in to Okta after the first of the following month.

The SMS feature includes an SMS Usage category on the Reports page. The SMS Usage Report enables admins to monitor the number of SMS messages sent.

Set up SMS password reset – New Users

When new users sign into Okta for the first time they can set up their phone for SMS password reset by clicking the Add phone number button.

The end user is asked to enter a mobile phone number. This allows an initial verification code to be sent to their phone.

The end user enters the verification code sent to their phone and is then authenticated into Okta.

Set up password reset – Existing Users

Existing end users can reset their SMS passwords from their Home > Settings page.

From their Home page, end users click on their name and then click Settings.

End user self-service password reset with SMS

End users then click Send Text Message and continue through the prompts to reset their password.

Note: If an invalid user attempts entry through a Forgot Password or Unlock Account action, an error message will not display. This is by design, as an error message could potentially reveal when a user name represents a valid account.

Reset or reconfigure a phone

This is an Early Access feature. To enable it, please contact Okta Support.

End users who lose a phone or get a new number can reset or reconfigure their phones by updating their Home > Settings page.

Use Voice Call for Password Resets

Enable this feature to allow end users who have forgotten their passwords to reset them using Voice Call authentication. With Voice Call configured, end users receive a call message from their mobile device or land line phone. This voice call provides a recovery code. The call is made in the default language for the user. The following languages are currently supported for voice calls. If the default language for a user account is not on this list, the call is made in English. You cannot customize the words in any language.

Admins can manage users in groups or individually. Each end user has a unique identity account within Okta, from which the admin can mange their applications, group memberships, and general account information.

To manage an individual end user, simply go to Directory > Peopleand click on an end user's name. Choose one of the following tabs:

Applicationstab

This page lists all of the end user's current application assignments. Click Assign Applications to add more. To do so:

Go toPeople > Applications tab.

Click Assign Applications under the Assigned Applications banner.

From the list of available applications, select the desired application.

Select application data options as needed.

Each application has its own list of required application data. This application data can be additional parameters that define the user to the application. For example, some applications require profile or roles. For these types of applications, you also have to select credentials security options from the drop-down menu.

Enter the user name assigned to the person for the application. This is not the Okta sign in user name, but the user name the person uses for signing in to the application individually.

Click Save.

Groups tab

This page displays an end user's current group memberships, and allows an admin to add or remove them from a group.

Note: if you wish to add or remove more than one user (or "bulk" users), see Groups Page, below.

Add an end user to a group

Go toPeople > Groups tab.

Enter a valid group name into the field under the Groups banner. If the group is valid, it will auto complete your entry.

Click Add. The end user is now a member of that group.

Removing an end user from a group

Go toPeople > Groups tab.

From the list of group names, click the x of the group from which you wish to remove the end user.

Click Remove in the confirmation dialog.

The group is removed from the list and the end user is no longer a member. This does not delete the group itself.

Profile tab

You can edit a user's attributes using the Profile tab. This page shows all applicable attributes for a user: first and last name, username, primary and secondary email addresses, to name a few. To edit an attribute, do the following:

Go toPeople > Profile tab.

Click Edit.

Enter the new attributes in the relevant fields as needed. A primary email must be listed.